Zero Day PowerShell Attacks Heading Your Way

View previous topic View next topic Go down

Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 5/8/2010, 08:19

http://www.blueridgenetworks.com/securitynowblog/zero-day-powershell-attacks-advanced-persistent-threat-protection-software

Cyber criminals are undoubtedly developing and distributing malicious PowerShell based malware attacks that researchers say cannot be stopped by antivirus, HIPS, SRP, or just about any other security software product that you may have on your computer.

The obvious workaround is to remove PowerShell.exe from computers. However, this cannot be done for Windows 7 because it is embedded in the operating system.

I feel there is some mis-information here. In my security setup/approach post, I emphasise the importance of blocking already built-in scripting programs like cmd.exe and cscript.exe. For Windows 7 and in the context of Powershell, you would simply need to block "powershell.exe" and "powershell_ise.exe" as I discussed here:
http://ssj100.fullsubject.com/windows-hardening-f5/blocking-powershell-t7.htm#21

Another method of disabling Powershell is to simply rename "powershell.exe" and "powershell_ise.exe" (much like what I've personally done with renaming cmd.exe to allow Sandboxie's delete mechanism to function). In this way, you can still manually invoke Powershell as required, while any spontaneous remote execution (eg. initiated by malware) would be blocked.

Furthermore, Classical HIPS software can also be configured to block "powershell.exe" and "powershell_ise.exe" from executing. Therefore, I'm not sure what exactly Eirik Iverson (author of the article) is referring to or meaning when he writes that SRP/HIPS can't stop Powershell scripts.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by languy99 on 5/8/2010, 08:34

that article reads like they are just trying to promote app guard.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by noorismail on 5/8/2010, 19:07

@ssj100/Languy 99

Is that the name you use for to search?
PowerShell.exe?

If so, I also do not have it on board XpSp3.

Don't have it,never will!!

Have you guys noticed that a lot of these exploits are things you almost
have to go out of your way to be victimized by?

If people would only install less dreck,and turn off/remove ,the stuff they do not need,so much of this esoterica could be avoided,


Not to preach,but this is where I love Sandboxie/Shadow Defender.

I can install some kind of dodgy media player that I would NEVER consider having on my real system,not just because of the malware risk,but because of all the updaters,notifiers,ext they instal.
I can watch my crappy horror movie,empty the Sandbox,reboot,
and I keep dodging the bullet!!

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 6/8/2010, 04:08

noorismail wrote:@ssj100/Languy 99

Is that the name you use for to search?
PowerShell.exe?

If so, I also do not have it on board XpSp3.

Don't have it,never will!!

Have you guys noticed that a lot of these exploits are things you almost
have to go out of your way to be victimized by?

If people would only install less dreck,and turn off/remove ,the stuff they do not need,so much of this esoterica could be avoided,


Not to preach,but this is where I love Sandboxie/Shadow Defender.

I can install some kind of dodgy media player that I would NEVER consider having on my real system,not just because of the malware risk,but because of all the updaters,notifiers,ext they instal.
I can watch my crappy horror movie,empty the Sandbox,reboot,
and I keep dodging the bullet!!

noor

Yes, you shouldn't have Powershell on Windows XP unless you specifically manually installed it yourself. 99.9999% of home users have absolutely no use for it, and I'm one of them (and I see you are too).

Funny you mention the "crappy horror movie" - I just watched one haha, and about to watch another!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by noorismail on 6/8/2010, 07:04

Oh,yeah,I am addicted to them. I have to get my "C" grade horror fix on a daily basis!!
So many of the sites have been pulled down now,you have to look a bit to find one..


noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by tnegjm on 6/8/2010, 08:53

noorismail wrote:@ssj100/Languy 99

Not to preach,but this is where I love Sandboxie/Shadow Defender.

I can install some kind of dodgy media player that I would NEVER consider having on my real system,not just because of the malware risk,but because of all the updaters,notifiers,ext they instal.
I can watch my crappy horror movie,empty the Sandbox,reboot,
and I keep dodging the bullet!!

noor
Exactly. I do the same except with VMs and SBIE.

tnegjm
Member
Member

Posts : 37
Join date : 2010-04-20

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by noorismail on 6/8/2010, 09:42

@tnegjm
Yeah,Spot on!!
Gets the job done!!

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by MrBrian on 7/8/2010, 23:01

AppLocker can block PowerShell scripts.

MrBrian
Member
Member

Posts : 14
Join date : 2010-07-01

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 8/8/2010, 02:43

MrBrian wrote:AppLocker can block PowerShell scripts.

Given SRP can block them (10 year old technology), it's good to see AppLocker can as well haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by Tranquility on 10/8/2010, 07:25

Have you tested to see if SRP can block PowerShell scripts? The reason I ask is I can block .js (Javascript) files in SRP file types and sure enough, if I create a .js file on my desktop and doubleclick it SRP will step in and prevent it from executing. But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

I'm not familiar with PowerShell or how it receives its scripts, but if it is from within its own virtual address space like a browser receives its .js files, or word receives its Macros, then SRP wont be able to intercede.

Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 10/8/2010, 10:33

Tranquility wrote:Have you tested to see if SRP can block PowerShell scripts? The reason I ask is I can block .js (Javascript) files in SRP file types and sure enough, if I create a .js file on my desktop and doubleclick it SRP will step in and prevent it from executing. But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

I'm not familiar with PowerShell or how it receives its scripts, but if it is from within its own virtual address space like a browser receives its .js files, or word receives its Macros, then SRP wont be able to intercede.

Good question. I wonder if AppLocker can block such scripts when launched within a browser/word etc?

By the way, I think Powershell scripts require powershell.exe or powershell_ise.exe in order to run. As I understand it, the same applies for any processes that try to run via the command prompt if cmd.exe and command.com are directly blocked from running.

Again, I would really like to get hold of some real live malware (or even a POC, since such live malware probably doesn't exist in-the-wild) that executes via java or macros (and which bypasses a tightly configured SRP). Regardless, even if such malware did bypass SRP (please PM me a sample haha), I guess that's why I run Sandboxie!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 10/8/2010, 14:22

Tranquility wrote:But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

By the way Tranquility, could you please link me to a site which executes .js files in the manner you describe? I'd like to test this for myself. I did it by trying to open/run a .js file (that was on my desktop) via IE and SRP blocked it - clearly, this wasn't what you were talking about. Cheers mate.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by Tranquility on 10/8/2010, 19:43

Perhaps you misunderstood? Almost all websites today use javascript. IE will download and run .js files included in those websites, even with .js files disallowed by SRP. It is able to do so because IE loads and runs the files within its own virtual address space. The same thing happens with Adobe software and its PDF files. Once the PDF file is opened - ergo, opened into Adobe's virtual address space - the only thing controlling whether any scripts contained within that PDF run is Adobe's settings.

I'm not familiar with PowerShell or the files it uses to know whether the same things can occur there.

Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 10/8/2010, 23:55

Tranquility wrote:Perhaps you misunderstood? Almost all websites today use javascript. IE will download and run .js files included in those websites, even with .js files disallowed by SRP. It is able to do so because IE loads and runs the files within its own virtual address space. The same thing happens with Adobe software and its PDF files. Once the PDF file is opened - ergo, opened into Adobe's virtual address space - the only thing controlling whether any scripts contained within that PDF run is Adobe's settings.

Well, I can't find the reference right now, but I remember reading somewhere that if you specifically blocked (via SRP) a certain .DLL file, then javascript wouldn't work in web-sites too - that means SRP can block javascript right? The reason why lots of things function (like javascript) is because (like me) you've probably white-listed the entire C:\Windows folder (which I think contains the DLL's required to run javascript in web-sites etc). Once I find that reference again, I can test it out. For me, it's no concern, given I sandbox my web browsers etc. with Sandboxie, but it'd be good to know the extent of what SRP is capable of.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by Sadeghi85 on 11/8/2010, 02:25

ssj100 wrote:

Well, I can't find the reference right now, but I remember reading somewhere that if you specifically blocked (via SRP) a certain .DLL file, then javascript wouldn't work in web-sites too

I think it's "jscript.dll".

With UAC enabled, IE operates in "Protected Mode" which acts like a sandbox.

Internet Explorer 7's "Protected Mode" feature uses UAC to run with a 'low' integrity level (a Standard user token has an integrity level of 'medium'; an elevated (Administrator) token has an integrity level of 'high'). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC. Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system.

http://en.wikipedia.org/wiki/User_Account_Control#Features

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by MrBrian on 11/8/2010, 04:48

Tranquility wrote:Have you tested to see if SRP can block PowerShell scripts? The reason I ask is I can block .js (Javascript) files in SRP file types and sure enough, if I create a .js file on my desktop and doubleclick it SRP will step in and prevent it from executing. But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

SRP blocks JavaScript processed by the standalone JavaScript processors. It wasn't intended to block JavaScript in web browsers.

MrBrian
Member
Member

Posts : 14
Join date : 2010-07-01

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by Tranquility on 11/8/2010, 05:43

That is exactly what I was explaining. I was curious if it is the same way with PowerShell.

Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

View user profile

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 11/8/2010, 10:00

MrBrian wrote:
Tranquility wrote:Have you tested to see if SRP can block PowerShell scripts? The reason I ask is I can block .js (Javascript) files in SRP file types and sure enough, if I create a .js file on my desktop and doubleclick it SRP will step in and prevent it from executing. But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

SRP blocks JavaScript processed by the standalone JavaScript processors. It wasn't intended to block JavaScript in web browsers.

Sure, perhaps it wasn't intended, but my point is that it can be configured to block it easily (block jscript.dll and java.exe). Please correct me if I'm wrong. In fact, I think it can be configured to block pretty much all types of scripts (block scrrun.dll). Whether it should be done or not is of course completely the choice of the user.

For example, I'd rather allow pretty much all scripts to run, but have them run in a contained environment (eg. Sandboxie). In this way, I'm getting excellent experience/convenience as well as maintaining excellent security.

I have tried many types of security setups/approaches, including running full blown classical HIPS. In the end, the most convenient method (while maintaining "100%" security) is in my signature. I haven't really changed this setup for nearly 10 months (and the changes I did make was to simplify even more - eg. I got rid of all installed black-listing software and got rid of any third party software firewall).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by ssj100 on 11/8/2010, 11:40

Tranquility wrote:That is exactly what I was explaining.

Yes, but as I implied in the previous post, it would have been nice to have also mentioned about blocking jscript.dll and java.exe to block all javascript in browsers with SRP? The way you wrote it, it sounded like SRP couldn't block it. But it can right?

Tranquility wrote:I was curious if it is the same way with PowerShell.

According to Wiki, Powershell consists "of a command-line shell and associated scripting language built on top of, and integrated with, the .NET Framework":
http://en.wikipedia.org/wiki/Windows_PowerShell

Therefore, it sounds like blocking the command-line shell executable (powershell.exe) would not completely block it? I think it would still be able to run within web browsers etc, just like Javascript. Of course, there should be a way to block it in web browsers etc too (just like with Javascript) - there is probably a DLL file that simply needs to be blocked.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Zero Day PowerShell Attacks Heading Your Way

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum